0

I have CentOS 7 Vunarablites report shows need to update Apache and OpenSSL, OpenSSH

Current version of packages

  1. OpenSSL : Openssl-1.0.1e-60.el7_3.1.x86_64
  2. Current version of Apache : 2.4.6-45.el7.centos.4
  3. Current version of SSH : OpenSSH_6.6.1p1

Hence need to Uppgrade Apache , OpenSSL , OpenSSH to good\latest versions but yum update repositories still shows old version .

tried to upgrade them fro .tar.gz but it was unsccessfully and there so many package dependencies.

Is there any way to update these packages to lastest versions in CentOS

Thanks

HBruijn
  • 72,524
  • 21
  • 127
  • 192
Prakash
  • 11
  • 4
  • Current versions of these packages in the repositories are newer (e.g. `httpd-2.4.6-67.el7.centos.x86_64`), so there is something wrong with either your yum configuration or the repo you are using. Please add the relevant files from `/etc/yum.repos.d` to your post. – Sven Sep 14 '17 at 13:09
  • 2
    Note that even then you will not get the latest version from the upstream, but security fixes have been backported into the version supplied by CentOS/RHEL and they are safe. – Sven Sep 14 '17 at 13:10
  • 1
    Hello Sven , i have update to httpd-2.4.6-67.el7.centos.x86_64 , Can you please provide steps how to do Backport because There is no steps or guide how update using backport from this link https://access.redhat.com/security/updates/backporting/?sc_cid=3093 d – Prakash Sep 15 '17 at 09:57
  • 3
    You don't need to backport fixes, that is what RedHat/CentOS are doing for you. The latest version of a distribution package always contain fixes for all relevant issues/CVEs, of course except in the time between discovery of a vulnerability and its fix. You urgently need to learn the fundamentals about the security model of the environment you are using. – Sven Sep 15 '17 at 10:12

1 Answers1

4

Too long for a comment:

AFAIK it has only been less then a day since the CentOS 7.4 update has been released and your local mirror may not be synched yet. You may need to wait a little bit for the latest updates to become available locally.
You may try a yum clean all to prevent cached results after checking that the Update repositories haven't been disabled.

Assuming your yum repositories are correctly configured yum update is sufficient to keep your system up to date and secure and there is no need to build software from source.

Please read the vendor (CentOS is derived from Red Hat Enterprise Linux) explanation of backporting security updates and bug fixes and what is the impact on version numbers.

This answer is an explanation of the big mis-understanding on what security scanners detect, report and recommend and how that often conflicts with back porting.

HBruijn
  • 72,524
  • 21
  • 127
  • 192
  • Hello HBrujn , I have updated httpd to httpd-2.4.6-67.el7.centos.x86_64 using yum update . – Prakash Sep 15 '17 at 10:03
  • Hello HBrujn , I have updated httpd to httpd-2.4.6-67.el7.centos.x86_64 using yum update . but in Vuneralbilte report still show i need to update httpd to 2.4.20 – Prakash Sep 15 '17 at 10:15
  • Please read the answer I linked to and @Sven 's comment ! *"A security scan probably detected your Apache version string ... and comes to the ignorant conclusion: to be "secure and compliant" ... you must upgrade to a release Apache httpd `2.4.some-newer-version`."* - Where actually all security updates that might require you to otherwise upgrade were already back ported by Red Hat and included in httpd-2.4.6-67.el7.centos.x86_64 – HBruijn Sep 15 '17 at 10:23